未设置HSTS

Question

我正在尝试使用HerokuCore3设置一个Http Strict-Transport-Security报头。我在一个开发环境中运行得很好，无论是谁发布到Asp.Net (使用https://elements.heroku.com/buildpacks/jincod/dotnetcore-buildpack)时，报头都不会出现(在任何页面上，通过http和https)。

            if (env.IsDevelopment()) {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
                app.UseBrowserLink();
                app.UseHsts(hsts => hsts.IncludeSubdomains().MaxAge(hours: 1));
            } else {
                app.UseExceptionHandler("/About/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts(hsts => hsts.IncludeSubdomains().MaxAge(days: 366));
            }

任何帮助都是非常感谢的！

我尝试过的

我尝试在Configure中使用内置的UseHSTS方法，并将AddHSTS添加到ConfigureServices中。然后我尝试使用NWebsec包的UseHSTS (在Configure中)，并使用相同的选项，但没有成功。

Answer 1

下面是https https://github.com/jincod/AspNetCoreDemoApp/blob/master/src/AspNetCoreDemoApp/Startup.cs的配置示例

ConfigureServices：

services.AddHttpsRedirection(options => { options.HttpsPort = 443; })
...
services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
                                ForwardedHeaders.XForwardedProto;
    options.KnownNetworks.Clear();
    options.KnownProxies.Clear();
});

配置：

app.UseForwardedHeaders();
...
app.UseHttpsRedirection();

更多信息https://devcenter.heroku.com/articles/http-routing#routing和https://github.com/aspnet/Announcements/issues/301